Win95.Yildiz源代码

NAME: Win95.Yildiz
AUTHOR: Black Jack [independant Austrian Win32asm virus coder]
CONTACT: Black_Jack_VX@hotmail.com | http://www.coderz.net/blackjack
TYPE: Win9x direct acting/global ring3 resident PE header cavity virus
SIZE: 323 bytes (but of course infected files won"t increase in size)

DESCRIPTION: When an infected file is run, the virus takes control. It then
　　　　　　 tries to find the kernel32 base address by a simple algorithm
　　　　　　 which should make it compatible with Win9X and WinME (although I
　　　　　　 haven"t tested it with the second one). After that it gets the
　　　　　　 undocumented Win9X API VxDCall0 and uses it to call int 21h. The
　　　　　　 VxDCall0 API is the very first exported API in Win9X; I don"t
　　　　　　 know which API is first in WinNT, that"s why unpredictable
　　　　　　 results may occur when the virus runs in that OS (I haven"t tried
　　　　　　 it out, but of course the virus can"t work in NT).
　　　　　　 Then it goes TSR (read more about this a bit later), and infects
　　　　　　 all PE EXE files in the current directory by overwriting the
　　　　　　 unused padding bytes in the PE header with the virus body.
　　　　　　 The memory residency consist in infecting kernel32.dll in memory.
　　　　　　 To do so, it creates a temporary file called "Yildiz." and writes
　　　　　　 the first 4KB of kernel32.dll there. Then this file is infected
　　　　　　 like any other PE file. And finally the content of the infected
　　　　　　 temp file is read back into kernel32 memory. Yep, you have read
　　　　　　 right, by using the int21h with VxDCall0 you can read from a file
　　　　　　 into read-only memory! (This trick was discovered by Murkry/IkX,
　　　　　　 read more about it in the comments to his Darkside virus source,
　　　　　　 published in Xine#3).
　　　　　　 As I have already said, the kernel32 is infected in memory just
　　　　　　 like any other file, this means the entry point is set to the
　　　　　　 virus, no APIs are hooked. As you should know, the entry point
　　　　　　 of a DLL is a init routine that is called whenever the DLL is
　　　　　　 loaded by a program. And since kernel32 is imported by all
　　　　　　 programs, this means for us that whenever a program is run (and
　　　　　　 kernel32 is mapped into the program"s address space), our virus
　　　　　　 will infect all PE EXE files in the directory of the program.

ASSEMBLE WITH:
　　　　　　　　tasm32 /mx /m yildiz.asm
　　　　　　　　tlink32 /Tpe /aa yildiz.obj,,, import32.lib

　　　　　　　　there"s no need for PEWRSEC or a similar tool, because the